[r=elachuni,facundobatista] LP#936153, After login, redirecting to a URL that…

[r=elachuni,facundobatista] LP#936153, After login, redirecting to a URL that contains non-ASCII characters would fail because the naive "str(foo)" scheme used in urllib would use the default system encoding, which we can't trust at all.

[r=elachuni,facundobatista] LP#936153, After login, redirecting to a URL that…
[r=elachuni,facundobatista] LP#936153, After login, redirecting to a URL that contains non-ASCII characters would fail because the naive "str(foo)" scheme used in urllib would use the default system encoding, which we can't trust at all.
612156e4 · Anthony Lenton · 8e6a7f82 · b4b3a1cb · 612156e4 · 612156e4
Commit 612156e4 authored Mar 13, 2013 by Anthony Lenton
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 3 deletions

django_openid_auth/tests/test_views.py
+10 -1

django_openid_auth/views.py
+6 -2

No files found.
--- a/django_openid_auth/tests/test_views.py
+++ b/django_openid_auth/tests/test_views.py
+# -*- coding: utf-8 -*-
 # django-openid-auth -  OpenID integration for django.contrib.auth
 #
-# Copyright (C) 2009-2010 Canonical Ltd.
+# Copyright (C) 2009-2013 Canonical Ltd.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
@@ -264,6 +265,14 @@ class RelyingPartyTests(TestCase):
        response = self.client.get('/getuser/')
        self.assertEquals(response.content, 'someuser')

+    def test_login_with_nonascii_return_to(self):
+        """Ensure non-ascii characters can be used for the 'next' arg."""
+        for url in [u'/files/moño.jpg', u'/files/ñandú.jpg'.encode('utf-8')]:
+            response = self.client.post('/openid/login/',
+                {'openid_identifier': 'http://example.com/identity',
+                 'next': url})
+            self.assertContains(response, 'OpenID transaction in progress')
+
    def test_login_no_next(self):
        """Logins with no next parameter redirect to LOGIN_REDIRECT_URL."""
        user = User.objects.create_user('someuser', 'someone@example.com')

--- a/django_openid_auth/views.py
+++ b/django_openid_auth/views.py
 # django-openid-auth -  OpenID integration for django.contrib.auth
 #
 # Copyright (C) 2007 Simon Willison
-# Copyright (C) 2008-2010 Canonical Ltd.
+# Copyright (C) 2008-2013 Canonical Ltd.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
@@ -244,7 +244,11 @@ def login_begin(request, template_name='openid/login.html',
            return_to += '&'
        else:
            return_to += '?'
-        return_to += urllib.urlencode({redirect_field_name: redirect_to})
+        # Django gives us Unicode, which is great.  We must encode URI.
+        # urllib enforces str. We can't trust anything about the default
+        # encoding inside  str(foo) , so we must explicitly make foo a str.
+        return_to += urllib.urlencode(
+            {redirect_field_name: redirect_to.encode("UTF-8")})

    return render_openid_request(request, openid_request, return_to)